bugzilla-daemon at mindrot.org
2002-Jul-18 04:33 UTC
[Bug 342] RhostsRSAAuthentication does not work with 3.4p1
http://bugzilla.mindrot.org/show_bug.cgi?id=342 stevesk at pobox.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From stevesk at pobox.com 2002-07-18 14:33 ------- ssh is by default not set-uid root. re-open if this is the the cause. RhostsRSAAuthentication Specifies whether to try rhosts based authentication with RSA host authentication. The argument must be ``yes'' or ``no''. The default is ``no''. This option applies to protocol version 1 only and requires ssh to be setuid root. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2002-Jul-30 23:14 UTC
[Bug 342] RhostsRSAAuthentication does not work with 3.4p1
http://bugzilla.mindrot.org/show_bug.cgi?id=342 djast at cs.toronto.edu changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|INVALID | ------- Additional Comments From djast at cs.toronto.edu 2002-07-31 09:14 ------- When PrivilegeSeparation is enabled, RhostsRSAAuthentication seems to look up the connecting host in the known_hosts file by IP address rather than by name. The tests below were run as root on the client side, so setuid is not an issue. With UsePrivilegeSeparation=yes, sshd -d -d -d reports: [...] debug1: Attempting authentication for root. debug3: mm_auth_password entering debug3: mm_request_send entering: type 10 debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD debug3: mm_request_receive_expect entering: type 11 debug3: mm_request_receive entering debug2: monitor_read: 6 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 10 debug3: mm_answer_authpassword: sending result 0 debug3: mm_request_send entering: type 11 debug3: mm_auth_password: user not authenticated Failed none for root from 128.100.2.31 port 56036 debug3: mm_request_receive entering debug1: Trying rhosts with RSA host authentication for client user root debug3: Trying to reverse map address 128.100.2.31. debug1: Rhosts RSA authentication: canonical host 128.100.2.31 debug3: mm_key_allowed entering debug3: mm_request_send entering: type 20 debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED debug3: mm_request_receive_expect entering: type 21 debug3: mm_request_receive entering debug3: monitor_read: checking request 20 debug3: mm_answer_keyallowed entering debug3: mm_answer_keyallowed: key_from_blob: 1414a0 debug3: Trying to reverse map address 128.100.2.31. debug2: auth_rhosts2: clientuser root hostname jane.cs ipaddr 128.100.2.31 debug1: temporarily_use_uid: 0/1 (e=0/1) debug1: restore_uid: 0/1 debug1: temporarily_use_uid: 0/1 (e=0/1) debug1: restore_uid: 0/1 debug3: check_host_in_hostfile: filename /usr/slocal/etc/ssh_known_hosts debug1: temporarily_use_uid: 0/1 (e=0/1) debug3: check_host_in_hostfile: filename /.ssh/known_hosts debug1: restore_uid: 0/1 debug2: check_key_in_hostfiles: key not found for 128.100.2.31 debug3: mm_answer_keyallowed: key 1414a0 is disallowed debug3: mm_append_debug: Appending debug messages for child debug3: mm_request_send entering: type 21 debug3: mm_send_debug: Sending debug: Accepted by .rhosts. debug3: mm_send_debug: Sending debug: Accepted host jane.cs ip 128.100.2.31 client_user root server_user root debug1: Rhosts with RSA host authentication denied: unknown or invalid host key Failed rhosts-rsa for root from 128.100.2.31 port 56036 ruser root With UsePrivilegeSeparation=no: [...] debug1: Attempting authentication for root. debug1: Trying rhosts with RSA host authentication for client user root debug3: Trying to reverse map address 128.100.2.31. debug1: Rhosts RSA authentication: canonical host jane.cs debug2: auth_rhosts2: clientuser root hostname jane.cs ipaddr 128.100.2.31 debug1: temporarily_use_uid: 0/1 (e=0/1) debug1: restore_uid: 0/1 debug1: temporarily_use_uid: 0/1 (e=0/1) debug1: restore_uid: 0/1 debug3: check_host_in_hostfile: filename /usr/slocal/etc/ssh_known_hosts debug3: check_host_in_hostfile: match line 11 debug2: check_key_in_hostfiles: key ok for jane.cs Rhosts with RSA host authentication accepted for root, root on jane.cs. Accepted rhosts-rsa for root from 128.100.2.31 port 56048 ruser root The first case fails and the second succeeds, because the sshd_known_hosts file contains an entry for *.cs but not for 128.100.2.31. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.